From ff73dbf144c4c2daa67799a50dfff59cd455c63c Mon Sep 17 00:00:00 2001
From: Rob Cresswell <robcresswell@users.noreply.github.com>
Date: Wed, 11 Dec 2019 18:05:55 +0000
Subject: [PATCH] fix: sanitise pid parameter (#31)

This patch adds a simple check to the process ID passed in, ensuring it
is a number, and throwing an error otherwise. The aim is to fix the
issue explained here:

- https://hackerone.com/reports/701183
- https://snyk.io/vuln/SNYK-JS-TREEKILL-536781

Fixes: #30
---
 index.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/index.js b/index.js
index 125afdc..8348b4b 100755
--- a/index.js
+++ b/index.js
@@ -5,6 +5,10 @@ var spawn = childProcess.spawn;
 var exec = childProcess.exec;
 
 module.exports = function (pid, signal, callback) {
+    if (typeof pid !== "number") {
+        throw new Error("pid must be a number");
+    }
+
     var tree = {};
     var pidsToProcess = {};
     tree[pid] = [];